Skip to main content
Version: main 🚧

Secrets

Supported Configurations
Running the control plane as a container with:

By default, this is enabled.

Sync Secret resources used by pods from the tenant cluster to the control plane cluster. Apps frequently need secret data to function.

Sync only utilized secrets from tenant to control plane cluster (Default)​

sync:
toHost:
secrets:
enabled: true

Sync all secrets from tenant to control plane cluster​

vCluster only knows about a couple of tenant cluster resources that actually use secrets and tries to sync only those into the control plane cluster. You can enable syncing all tenant cluster secrets to avoid the problem that needed secrets are not synced to the control plane cluster.

sync:
toHost:
secrets:
enabled: true
all: true

Patches​

Use sync.toHost.secrets.patches to transform Secret fields while syncing to the control plane cluster. See Patching synced resources for syntax, directionality, and examples.

Config reference​

Do Not Disable

Disabling the syncing of this resource could cause the vCluster to not work properly.

secrets object ​

Secrets defines if secrets created within the virtual cluster should get synced to the host cluster.

enabled boolean true ​

Enabled defines if this option should be enabled.

all boolean false ​

All defines if all resources of that type should get synced or only the necessary ones that are needed.

patches object[] ​

Patches patch the resource according to the provided specification.

path required string ​

Path is the path within the patch to target. If the path is not found within the patch, the patch is not applied.

expression string ​

Expression transforms the value according to the given JavaScript expression.

reverseExpression string ​

ReverseExpression transforms the value according to the given JavaScript expression.

reference object ​

Reference treats the path value as a reference to another object and will rewrite it based on the chosen mode automatically. In single-namespace mode this will translate the name to "vxxxxxxxxx" to avoid conflicts with other names, in multi-namespace mode this will not translate the name.

apiVersion required string ​

APIVersion is the apiVersion of the referenced object.

apiVersionPath string ​

APIVersionPath is optional relative path to use to determine the kind. If APIVersionPath is not found, will fallback to apiVersion.

kind required string ​

Kind is the kind of the referenced object.

kindPath string ​

KindPath is the optional relative path to use to determine the kind. If KindPath is not found, will fallback to kind.

namePath string ​

NamePath is the optional relative path to the reference name within the object.

namespacePath string ​

NamespacePath is the optional relative path to the reference namespace within the object. If omitted or not found, namespacePath equals to the metadata.namespace path of the object.

labels object ​

Labels treats the path value as a labels selector.